important: runc/espeak-ng security update
important
An update for runc/espeak-ng is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
runc:
espeak-ng:
Security Fix(es):
runc: A file descriptor leak issue was found in the runc package. While a user performs `O_CLOEXEC` all file descriptors before executing the container code, the file descriptor is open when performing `setcwd(2)`, which means that the reference can be kept alive in the container by configuring the working directory to be a path resolved through the file descriptor. The non-dumpable bit is unset after `execve`, meaning there are multiple ways to attack this other than bad configurations. The only way to defend against it entirely is to close all unneeded file descriptors.(CVE-2024-21626)
runc: bugfix
espeak-ng: A flaw was found in the espeak-ng package. A local attacker can use a specially-crafted payload to trigger a buffer overflow condition, which can lead to an application crash or allow for arbitrary code execution.(CVE-2023-49990)
espeak-ng: A flaw was found in the espeak-ng package. A local attacker can use a specially crafted payload to trigger a floating point exception error, which may lead to a denial of service.(CVE-2023-49994)
espeak-ng: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.03B8.